Fraudsters hone tactics as U.S. embraces EMV compliance

Companies need to batten down hatches as credit card processing changes

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As an October mandate requiring chips in credit cards approaches, criminals are changing their tactics.

“Many fraudsters have discontinued several of the in-person or card-present fraud tactics that they have used in the past,” says CEO John Dancu of Atlanta-based IDology, which provides technology solutions that verify an individual’s identity or age in a customer-not-present environment. “Instead, criminals are moving to the card-not-present environment, such as online or in a call center.”

John Dancu, IDology CEO
John Dancu, IDology CEO

The United States is the world’s final market, according to entrepreneur.com, to become EMV-compliant. EMV is an acronym for Europay, MasterCard and Visa. Adding a chip to credit cards will make it nearly impossible to counterfeit them, so fraudsters are turning their attention elsewhere.

Widespread data breaches at many organizations—such as recent massive cybersecurity breaches at the U.S. Office of Personnel Management that stole the personal information of more than 20 million individuals—has made “a large amount of consumer information available for cyber criminals to use as they wish,” Dancu says.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

“Fraudsters are now able to purchase what we call a ‘perfect identity’ from places like the Dark Web,” he says. The Dark Web is Internet content that requires special software or authorizations to access and is frequently used by criminals.

“A perfect identity has enough qualifying personal data for attempting to open a fraudulent account or filing a false tax return,” Dancu says. “For organizations operating in this environment, layered solutions are needed to prevent fraud, while still limiting the friction during card-not-present transactions.”

Number of fraud attempts inches up

According to IDology’s 2014 fraud report—based on responses from 60 senior executives who are IDology customers primarily in the financial services, health care and retail industries—87 percent of respondents said their organizations had experienced suspected fraud attempts in the past 12 months. That was a big increase over the 66 percent who experienced suspected fraud in IDology’s 2013 fraud report.

In the 2013 report, suspected fraud appeared to be most prevalent in the financial services and banking industries. Only 33 percent of health care industry respondents said they experienced suspected fraud.

In the 2014 report, however, the fraud attempts “appear to have similarly impacted all industries.” Seventy-five percent of health care respondents said that they had experienced suspected fraud in the past 12 months.

The 2014 report revealed that website applications “continue to bear the brunt of attempted fraud.” More than 85 percent of survey respondents said that suspected fraud was most prevalent within such applications.

“Phishing continues to be an issue,” Dancu says. “In our fraud report, we saw a significant decrease in the amount of respondents saying that their industry is prepared to detect and prevent this type of fraud. This could be due to the increase in sophistication fraudsters deploy in their phishing schemes.”

Mobile fraud is increasing, the IDology executive says. “From mobile account takeovers to mobile caller ID spoofing, mobile malware, subscriber fraud with man-in-the-middle attacks, cell phone cloning and fake cell towers, more and more fraud schemes are being discovered every day.”

Dancu says he cannot provide much detail about specific cyber criminal attacks against his customers, because “we don’t want to provide a roadmap for fraudsters.”

Criminals sharpen their strategy

Cyber criminals, he says, are constantly evolving their tactics. “Organizations of all sizes from all industries are perpetually striving to evolve with the fraud landscape,” he says. “That is why it’s important for them to enable a robust identity-verification and fraud-prevention program that is extremely configurable and can easily mold with changing fraud tactics.”

Fraudsters are not targeting one organization or one industry at a time, Dancu says.

“Through IDology’s identity verification and fraud platform, we are able to see, in real time, how these fraudsters jump from organization to organization—to the paths of least resistance,” he says.

All IDology customers share information in the company’s Collaborative Fraud Network, and they say that working collectively “is the most effective way to reduce risk and stop fraud,” Dancu says.

Cyber-criminal attacks “are definitely global,” he says. “Plus, fraudsters can employ a variety of methods to hide identity and location online.”

In the United States, “suspected fraud activity appears to be centrally located with hotspots” in south Florida, northwest Georgia and the New York-New Jersey area, Dancu says.

Despite all the fraudulent activity, organizations must keep in mind they have plenty of above-board customers.

“When it comes to an identity verification and fraud prevention program, it is important to remember that the majority of customers are actually legitimate,” Dancu says. “The goal is to ensure that the good customers quickly and easily gain access to products and service, and, when there are fraud flags present, then you raise the level of verification to ensure that the customer is who they say they are.”

More on security risks, solutions:
Health care, banking companies issue easily spoofed emails
Cyber insurance rises to meet increasing security challenges
Hackers dig deeper, use network tools to do their dirty work